A worm is usually used to speedy spread the exploit code to host in the internet, and if it utilizing the encrypting technique, would causes the serious disasters. Since the traditional IDS are not able to detect the shellcode of the encrypted polymorphic worm. For against the polymorphic worm, we need to research how the polymorphism could mutate to evade the current detection mechanism. In this paper, we analyses and used the encryption and polymorphic decoder to test whether the IDS Snort, a signature-based IDS could detect out penetration testing tool or not. We propose a scheme to mutate the signature of a worm, to let any byte in sled and shellcode of the worm could be executed normally on destination to evade the IDSs like STRIDE or APE. Finally, we use Sasser and Blaster worms as examples to blend into normal traffic in our experiment and emulate a penetration test to IDSs, Snort and STRIDE. According to the emulation results, our penetration testing tool could be successful possess the exploit code and evading the IDS to the end host above 90%.